Saturday, December 1, 2007

Wireless Fun For Bad People!

This blog post is a quick one to demonstrate just how vulnerable your information is if your using a network, be it wired or wireless.

Strong encryption would mitigate this risk, however it would only mitigate it if you are the only person on that network. So if your on a work network, a coffee shop wireless network or any other network with other people also on the network, this type of attack is totally possible. In my examples below i am on a wireless network using WPA encryption, however my attacker is also authenticated to the same wireless access point. This is a common scenario.

In the case of a wired network this attack would only work if the atacker is on the same LAN as his victim.

Okay, on to the attack. In the examples below the victim is 192.168.1.200, the gateway (WAP) is 192.168.1.5.

What I used.

  • Ettercap
  • Webspy (part of the dsniff suite of tools)
  • Driftnet
  • Firefox (or any browser)

What I did

In this scenario i'll be running Ubuntu (7.10) as root. It is important that I use root to use the tools listed above. Once I have figured out where the gateway which is easy enough (route) i pick my target (192.168.1.200) and the gateway and i arp poison them to become the Man-in-the-Middle.

ettercap -T -M arp:remote -i eth1 /192.168.1.200/ /192.168.1.5/



This effectively sets me up between the target and the gateway and i receive all the traffic. If i had wanted to grab all traffic going out from any host on that LAN i would have used:

ettercap -T -M arp:remote -i eth1 /192.168.1.5/ //


I then configure ip forwarding by running the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

I then use cat to check it's enabled (1).

cat /proc/sys/net/ipv4/ip_forward



Next i set up Webspy. Webspy is part of the Dsniff suit of tools and will send any URL's visited to my browser. I did try to use the Remote Browser plugin for ettercap but it wouldn't work as reliably as Webspy.

webspy -i eth1 192.168.1.200



Webspy is pretty cool and in testing sent about 80% of the URL's to my listening browser but not all of them and not secure sites using SSL (https).


Next start up Firefox. This needs to be done as root. Any browsed URL's will be sent to this browser and open up a new tab for each URL. Other browsers will probably work bu i never tested them.


Then i might set up Driftnet. Driftnet can capture images or audio and save it to a directory, but in my example i will just send it to my screen.

driftnet -i eth1



As you can see from my Driftnet window above my target is browsing Binrev and obviously has great taste!

I could have also fired up Dsniff to grab password and stuff at this stage using:

dsniff -i eth1

So if it's not to obvious by now why this is a problem, think of it like this. When you log into your email in a web cafe or on a train on the wireless network, when you look at your email, or read anything online, even if your computer is fully patched and your using a super new firewall and it's set up correctly, your still vulnerable to someone seeing amost everything you do online.

And that's it. Just a little sniffing fun. And remember, as i said this type of fun can be had on wired LANs too.

No comments: